Yes, your smartphone may be spying on you – but not how you suspect

Researchers at Northeastern University testing smart phones to see if the apps on them leaked data.(Photo: David Choffnes)

SAN FRANCISCO – Think your smartphone is spying on you? Researchers at Northeastern University looked at 17,260 Android apps and found evidence of a few that were snooping, but not in the way users have speculated.

First, the good news for the paranoid: None of them them surreptitiously turned on a phone's microphone, recorded audio or sent it to someone without being specifically asked to do so. That puts paid to the conspiracy theory that our phones are always listening to us and using what they hear to target us with ads.

Also, none of the apps turned on the phone's camera and shot video of whatever it was pointed at.

However, a tiny number of the apps weren't benign.

The researchers went through the initial 17,000 and found 9,000 had code that requested permission from the phone to use its camera or microphone.

Of those 9,000, 12 turned out to be sending screen shots of what the user did on the app along to either the app developers or a third party.

“This was actually good news,” Dave Choffnes, a professor of computer science at Northeastern and one of the researchers, told USA TODAY on Thursday. “We wouldn’t want to analyze 9,000 apps and find that even 10 percent were doing that. That would be an awful result.”

Ice-cream delivery app records everything

The most troubling was the GoPuff app, which allows users in several cities to order snacks, drinks and ice cream for delivery. It was actively making recordings of everything the user did on the app and sending it to AppSee, an app analytics platform.

Known as "full-session replay technology," it allows whoever is getting the file to see everything you did on the app, whether it was playing a game, typing in your address, your shoe size or your credit-card number.

Google – maker of the Android operating system – said after reviewing the Northeastern researchers' findings it had determined that a part of Appsee's services may put some developers at risk of violating its policies. It says it's working with Appsee to ensure developers appropriately communicate what it does with apps' end-users.

One possible use of the Appsee program is to allow a company to collect a random number of screen videos.

"If you’re just checking for problems, let’s say your app is crashing and you’re trying to figure out why it’s crashing, you might be able to use Appsee to see what the user was doing when the app crashed. You would essentially look over the user’s shoulder when the problem is occurring,” he said.

Appsee said its terms of service forbid customers from tracking personal data with Appsee.

“It appears that Appsee's technology was misused by the customer and that our Terms of Service were violated. Once this issue was brought to our attention we immediately disabled tracking capabilities for the mentioned app and purged all the relevant data from our servers,” said Appsee CEO Zahi Boussiba.

GoPuff did not respond to a request for comment from USA TODAY.

Any app that includes such code needs to notify users and get their consent, Choffnes said.

The choice of words is telling. The Panopticon was a plan for building prisons created in England in the 1790s by Jeremy Bentham. The prison's circular design allowed a large number of inmates to be watched by a single guard, without the inmates being able to tell when they were under observation.

It comes from the giant Argus Panoptes, who in Greek mythology had many eyes, some of which were always awake and watching even while the giant slept.